1 / 0

Communications Infrastructure Security

Communications Infrastructure Security. Cloud Barrier Findings Highlights of 2013 FCC TAC Workgroup. 1. FCC TAC Working Group. Technical Advisory Council (TAC) provides technical advice and recommendations to the Federal Communications Commission on a wide range of technologies

jaron
Download Presentation

Communications Infrastructure Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Communications Infrastructure Security

    Cloud Barrier Findings Highlights of 2013 FCC TAC Workgroup 1
  2. FCC TAC Working Group Technical Advisory Council (TAC) provides technical advice and recommendations to the Federal Communications Commission on a wide range of technologies The TAC is comprised of 5 workgroups Spectrum Frontiers Expanding Wireless COTS Spectrum and Receiver Performance Resiliency in a Broadband Network Communications Infrastructure Security Communications Infrastructure Security focus was on clouds last year Identity areas of concern for the growing number of consumer and enterprises placing critical functions into the cloud. Focused on determining the best way to raise awareness of these concerns, promote best practices and assure critical functions are protected in the cloud. This presentations is designed to raise awareness of the work done by the Communications Infrastructure Security workgroup in 2013. All material related to this workgroup can be found at http://www.fcc.gov/encyclopedia/technological-advisory-council
  3. (From Sept-2013Report FCC-TAC) Identified Areas of Concern Education Accountability Industry Collaboration Certification Auditing Work Products Short and Long Term Recommendations for the FCC Whitepaper: “FCC TAC Communications Infrastructure Security Working Group Report: CLOUD SECURITY ANALYSIS AND RECOMMENDATIONS” (Dec – 2013) Whitepaper: “FCC TAC Communications Infrastructure Security Working Group Supplemental Report: Expanded findings Around Mission Critical and Critical Infrastructure Cloud Usage: A More In-Depth look at the Relevant Use Cases and Areas of Concern (Dec-2013) Recommendations for Future (e.g. 2014 TAC) Further Study Items
  4. Education Highlights Description: Education is the cornerstone to expand the use of the cloud and to protect the security of the networks All actors need to make informed decisions about the cloud in order to advance cloud computing Actors include providers, consumers, regulators, etc. In order to make an informed decision, education and awareness materials are required Smaller Government Agencies, Enterprise Companies and Individuals will benefit most from concise educational material NIST has contributed greatly to education and awareness SP800-145, SP500-292 and Draft SP500-299, are readily available and consumable by all actors and stakeholders, not just USG (SP800-145 is de facto world standard) Pitfalls Earlier-published material, relied upon or referenced by others, not being kept up-to-date Vendor specific methods and policies Volume of information available makes consumption largely impracticable Smaller entities will benefit most from education due to pitfalls Small Business, Consumer, Smaller Government agencies lacking IT staff to cover cloud. Recommendations FCC to promote education and awareness to government, industry, and consumers (both enterprise and SMB/individual) though workshops, public awareness campaigns and WEB sites . FCC leverage trusted education sources : Cloud Security Alliance, Open Data Center Alliance, NIST, ENSIA…
  5. Accountability Highlights Description: An essential concept in the protection and security of electronic information whereby every individual that works with an information system should have specific responsibilities for the assurance and integrity of the information. Accountability Goals: Define responsibilities of each party (Consumer, Provider, Carrier, Auditor) per Service Model (IaaS, PaaS, SaaS) Ensure protection methods across services (IaaS, PaaS, SaaS, Storage, etc) Baseline Certification & Auditing methods of compliance Drive consistency of environment measurement and assurance for consumers Relevant Work - Baseline (see supporting slides) NIST SP500, SP800 (Computer Security), NIST SP500-292, SP800-144, SP800-146 (Privacy) CSA Security Guidance's, CSA SLA Guidance's Pitfalls Lines in accountability are unclear in SLA’s – Breaches, advanced persistence threats… SLA’s do not adequately cover compensation for data breach or loss Recommendations Develop easy-to-access and easy-to-understand content to make Cloud Consumers aware of SLA’s and their domain, Suitability of cloud for use case Study any specific recommendations that may need to be developed for Critical Infrastructure cloud services Extend the scope of Accountability beyond security to other areas such as availability and performance Study the impact of new SDN / NFV technologies on Cloud security implications and update these recommendations
  6. Industry Collaboration Highlights Description: With 95% of the nation’s critical infrastructure owned and operated by the private sector, industry collaboration on network access, resiliency, and cyber security is essential to assure security, privacy and economic health of the nation. It is important to foster an environment of sharing across the industry where threats and attacks can be openly discussed without fear of negative business or financial impact. Industry collaboration takes three primary forms: Industry-to-industry collaboration, industry-organized, & industry-led Industry-sponsored collaboration that funnels guidance to government Government-sponsored entities that foster/facilitate industry input Recommendations Incorporating network access and security education and awareness “toolkit” information into 2014 FCC meetings with industry partners FCC consider holding public-private partnership workshops in 2014 that gather and disseminate network & access standards FCC partner with other gov’t entities overseeing these issues (DHS, NIST, WH/OMB) to ensure industry participation & adoption The TAC recommends an FCC-convened “clean room” for info sharing
  7. Certification & Auditing: Hightlights Description:Attaining an accreditation attesting that any vendor’s solution does what the vendor claims. This is not limited to initial environment validation but includes ongoing auditing of the environment to assure continuous compliance to the original attestation. This accreditation can be in the form of third party assessments or self assessments. Recommendations herein are scoped to security certification and auditing in cloud environments. Why this matters: Smaller entities cannot afford the due diligence to navigate the complexity of selecting the best cloud providers for their needs. They simply resist using the cloud. Scope: enterprise/consumer, mission critical/critical infrastructure, cloud network access Certification & Auditing Goals: Gain and maintain subscriber trust in the solution Provide transparency Reduce costs of evaluation Drive consistency of environment measurement Take-away: Cloud audit and certification programs are new, continue to evolve, and often overlap existing certification/compliance schemes General Takeaways and Recommendations There is not a “one size fits all” solution for cloud services There are existing certifications and requirements that need to be leveraged where possible such as FedRAMP for federal agencies (certifications described on the supporting slide) Enterprise Cloud customers should leverage the newly evolving CSA Open Certification Framework to enhance the cloud vendor selection process. Multi-layered structure – based on customer needs Three levels (tiers) defined within the CSA Open Certification Framework (OCF)
  8. Conclusions and Next Steps The future impact of cloud computing cannot be overstated Rapidly progressing and evolving with considerable complexity Cloud Security and Cloud Resiliency have significant bearing on the economic viability of the country and the safety of our citizens The FCC should consider implications of cloud computing but (as always) must strike a balance on how it acts Cloud provides accessible/affordable professional services for entities with limited (private) means – the rising tide. Because of newness and significant leverage of the paradigm, the stakes are much higher overall for failures and missteps (e.g., EU considers cloud CI) Future Suggested Activities (e.g., TAC 2014) Expand the analysis to include Cloud Resilience, Availability and Performance Focus additional security analysis around Critical Infrastructure usages of Cloud Help the FCC create alliances and joint forums with industry / government partners

  9. Supporting Slides

    Content presented to the FCC December 9th 2013

  10. Education

  11. Education: Description & Background Education is the cornerstone to expand the use of the cloud and to protect the security of the networks All actors need to make informed decisions about the cloud in order to advance cloud computing Actors include providers, consumers, regulators, etc. In order to make an informed decision, education and awareness materials are required Smaller Government Agencies, Enterprise Companies and Individuals will benefit most from concise educational material We did a high-level review of the current state of education and awareness in the industry today There is a role for the FCC in promoting education and awareness to government, industry, and consumers (both enterprise and SMB/individual)
  12. Education and Awareness: Best Practices There is a lot of material published today which can be used Some of it is marketing and hype more than reality, and some is very high level An overload of information makes it difficult for small users to locate pertinent resources for Cloud uses and Security NIST has contributed greatly to education and awareness SP800-145, SP500-292 and Draft SP500-299, are readily available and consumable by all actors and stakeholders, not just USG (SP800-145 is de facto world standard) There are several ‘trusted’, objective sources for educational material Industry associations such as the Cloud Security Alliance, Open Data Center Alliance and others, whose goal is to produce independent guidance and best practices Government agencies in other countries and communities, e.g. European Network and Information Security Agency (ENISA) Some industry players have produced reasonably independent material (Microsoft, Google and Amazon included) Academia is creating Undergraduate and Master degrees as well as certificate programs
  13. Education and Awareness: Analysis of the Current Landscape Much of the guidance published is high-level, service specific or has a marketing focus Material tends to be vendor specific Earlier-published material, which are relied upon or referenced by others, is not being kept up-to-date Collaboration of best practices and case studies are not understandable or available to the general user Volume of information available makes consumption largely impracticable
  14. Education and Awareness: Recommendations General Takeaways Education is one of the best tools to use and in the long run will provide the greatest awareness for cloud security issues Small enterprise users will benefit the most from the targeted education and awareness campaign Near-term, FCC can collaborate with industry and academia to identify best E&A materials from sources publicly (and freely) available Material should be evangelized Small investments by government and industry could be made to update older material to make it relevant Investment need not be ‘cash’, but labor FCC could incorporate materials from others into its own portfolio Materials published to include a website reference for small business
  15. Education and Awareness: Recommendations(continued) Long-term, FCC can work with others to identify gaps in E&A material focused at, or about, cloud carriers and develop its own materials Still a lot of work to be done, and FCC is best placed to lead this work Include topics such as carrier security, routing, DNS, etc.. Hold Workshops to increase Education and Awareness Work with industry and associations to create a long-term strategy for the development and sustainability of ones’ own published material Public Awareness Continue investment in the evangelizing of material to promote adoption Develop liaisons with other governmental agencies to have recently created material posted on websites, updated and disseminated to users (i.e., SBA, USDA, NTIA, Cloud Providers, Industry Associations, Smart Communities and Broadband Providers) Provide information to Cloud and Broadband Providers to place on websites for consumer’s use

  16. Accountability

  17. Accountability: Description & Background Description: “An essential concept in the protection and security of electronic information whereby every individual that works with an information system should have specific responsibilities for the assurance and integrity of the information. Accountability Goals: (Security is TAC focus) Define responsibilities of each party (Consumer, Provider, Carrier, Auditor) per Service Model (IaaS, PaaS, SaaS) Ensure protection methods across services (IaaS, PaaS, SaaS, Storage, etc) Baseline Certification & Auditing methods of compliance Drive consistency of environment measurement and assurance for consumers Increased adoption of outsourcing IT-like functions and responsibilities accompanied by increased threats in data hijacking & theft warrant greater knowledge of data protection & validation of roles & responsibilities
  18. Accountability : Best Practices Existing industry Best Practices for guidance: NIST SP500 (Information Technology) & SP800 (Computer Security) NIST SP500-292 Cloud Computing Reference Architecture Security Guidance For Critical Areas Of Focus In Cloud Computing V3.0, Cloud Security Alliance 2011 Practical Guide to Cloud Service Level Agreements Version 1.0 Cloud Standards Customer Council, April 10, 2012 Specifics publications: SP800-144 Guidelines on Security and Privacy in Public Cloud Computing SP800-146 Cloud Computing Synopsis and Recommendations Cloud Security Alliance – highlights best practices for Cloud Computing security assurance Larger enterprises have purchasing leverage to negotiate Service Level Agreements (SLA) to ensure better protection, performance, and stronger accountability if issues arise
  19. Accountability: Analysis of the Current Landscape Knowledge or understanding of limited / undefined Accountability when outsourcing data to the Cloud Lines of Accountability are unclear and finding information on best practices is cumbersome Certain network access methods are more secure and less vulnerable to MITM (Man-In-The-Middle) attacks such as DNS Spoofing and BGP Hijacking Data Protection parameters such as PCI, HIPPA focus on specific industries / data types In the area of auditing and SLA, many documented challenges have come not from a cloud provider’s ability to service a customer, but the ability of the customer’s systems to interface properly with the cloud In the area of BC / DR, It is common to see a false sense of security among cloud consumers regarding disaster recovery planning
  20. Accountability: Recommendations General Takeaways Security is as strong as the weakest link in the end-to-end ecosystem of actors Accountability of various actors in the ecosystem depends on the Service Model Short Term Recommendations Develop easy-to-access and easy-to-understand content to make Cloud Consumers aware of the need for and attributes of various domains of an SLA between ecosystem players and dependency on the service model, since Accountability (expectations and recourse) is captured in SLA 1,2 the need to evaluate suitability of cloud for their business needs and to conduct due diligence to evaluate security capabilities (e.g. compliance certificates, audit reports, BC / DR) of cloud ecosystem players for all the layers of the “stack” for migrating to the cloud, being in the cloud and exiting from the cloud Long Term Recommendations Study any specific recommendations that may need to be developed for Critical Infrastructure cloud services Extend the scope of Accountability beyond security to other areas such as availability and performance Study the impact of new SDN / NFV technologies on Cloud security implications and update these recommendations 1 Security Guidance For Critical Areas Of Focus In Cloud Computing V3.0, Cloud Security Alliance 2011 2 Practical Guide to Cloud Service Level Agreements Version 1.0 Cloud Standards Customer Council, April 10, 2012

  21. Industry Collaboration

  22. Industry Collaboration: Description & Background Industry collaboration functions as a central tenet in the multi-stakeholder approach to Internet governance With 95% of the nation’s critical infrastructure owned and operated by the private sector, industry collaboration on network access, resiliency, and cyber security is essential Industry collaboration takes three primary forms: Industry-to-industry collaboration, industry-organized, & industry-led Industry-sponsored collaboration that funnels guidance to government Government-sponsored entities that foster/facilitate industry input
  23. Industry Collaboration: Best Practices Industry collaboration contributes standards and certification requirements to three crucial priorities: network access, resiliency, and cyber security Progress stems from Industry-government cooperation and collaboration Recent network access and security initiatives by government have supplemented ongoing private sector collaboration initiatives, and include: 2007, Government establishes Trusted Internet Connection (TIC) program 2009, President establishes first-ever Federal Chief Information Officer (CIO) 2010, Federal CIO establishes Federal Data Center Consolidation Initiative (FDCCI) 2011, OMB launches “Cloud First” initiative prioritizing info security, access, and $ savings 2012, Government expands “Bring Your Own Device” initiative for data access, security 2013, President releases Executive Order 13636, “Improving Critical Infrastructure Cyber Security, including NIST-led industry collaboration for access & security standards
  24. Industry Collaboration: Best Practices in all 3 models Industry-to-Industry Collaboration: Information Technology Industry Council (ITI) links policymakers, companies, and non-governmental organizations to advance standards, cooperation, and interoperability. TechAmericafosters comprehensive global, national, and regional advocacy and high-level policy and technology collaboration establishing standards and transparency in the ICT industry. Industry-sponsored collaboration that funnels guidance to government: Sector Coordinating Councils (such as the IT-SCC) that develop standards and foster peer review and transparency standards for Service Level Agreement elements such as access & up-time Information Sharing & Analysis Centers (ISACs) that facilitate the exchange of both classified and unclassified cyber security information including known threats and detection techniques Government-sponsored entities that foster and facilitate industry input Presidential advisory panels such as National Security Telecommunications Advisory Council (NSTAC), with recent reports on Cloud Security, FirstNet, and Secure Gov’t Communications National Institute for Standards & Technology (NIST), currently leading industry collaboration efforts for standards and incentives ensuring network access and security
  25. Industry Collaboration: FCC TAC Recommendations Existing best practices can be supported, enhanced by FCC; legislative and Executive Branch policy puts jurisdiction elsewhere, but the FCC can build and nurture industry collaboration among key stakeholders FCC has unique convening capability to facilitate collaboration, cooperation The TAC recommends incorporating network access and security education and awareness “toolkit” information into 2014 FCC meetings with industry partners The TAC recommends the FCC consider holding public-private partnership workshops in 2014 that gather and disseminate network & access standards The TAC recommends the FCC partner with other gov’t entities overseeing these issues (DHS, NIST, WH/OMB) to ensure industry participation & adoption The TAC recommends an FCC-convened “clean room” for info sharing

  26. Certification & Audit

  27. Certification & Auditing: Description & Background Description:Attaining an accreditation attesting that any vendor’s solution does what the vendor claims. This is not limited to initial environment validation but includes ongoing auditing of the environment to assure continuous compliance to the original attestation. This accreditation can be in the form of third party assessments or self assessments. Recommendations herein are scoped to security certification and auditing in cloud environments. Why this matters: Smaller entities cannot afford the due diligence to navigate the complexity of selecting the best cloud providers for their needs. Scope: enterprise/consumer, mission critical/critical infrastructure, cloud network access Certification & Auditing Goals: Gain and maintain subscriber trust in the solution Provide transparency Reduce costs of evaluation Drive consistency of environment measurement Take-away: Cloud audit and certification programs are new, continue to evolve, and often overlap existing certification/compliance schemes
  28. Certification & Auditing : Best Practices Enterprise/Network Access: best practices via CSA STAR/AICPA SOC2 CSA STAR Self Assessment/ Certification /Attestation/ Audit Self assessment based on questionnaire and/or Cloud Control Matrix (CCM). New third party assessment based on CCM and ISO27001/2 or AICPA SOC2. AICPA SOC 2 control area scope: security, availability, processing integrity, confidentiality, privacy Consumer Federal level privacy rules/regulations focused on financial/healthcare, child online privacy; patchwork of state legislation 3rd Party AICPA GAPP certifications are rare, TRUSTe self-certifications are becoming more common Federal Government FedRAMP Authority to Operate for CSPs (Cloud Service Providers) CSPs must attain FedRAMP certification to sell services to the federal government. Mission Critical & Critical Infrastructure NIST Cyber Security Framework will likely become the minimum standard IACP published Guiding Principles in Cloud Computing for Law Enforcement Critical Infra. security controls include NERC-CIP and NISTIR 7628, but not focused on the cloud
  29. Certification & Auditing: Analysis of the Current Landscape Cloud certification & audit frameworks are relatively new and continue to evolve (e.g. NIST, SOC2, CSA STAR) Certification/audit programs are generally rigorous and complex and favor large enterprise/government Federal agencies are covered by FedRAMP today Authority to operate (ATO) only extends to moderate impact data, per FIPS 199 definitions Area of focus for non-federal agencies - not covered by FedRAMP Lack of transparency leads to mistrust , need state and local endorsements Feedback from external discussions, need organized at federal level Mission Critical & Critical Infrastructure Need data classification standard for CJI data (e.g. FIPS 199) CJIS Data not covered by any cloud certification body (i.e. high impact data) Public Safety believes certification is needed SCADA Data will have limited movement to public clouds, due to the inherent risks Enterprise/Consumer Many solutions are more commonly being delivered using a mix of different cloud solutions – shared security model is not addressed
  30. Certification & Auditing: Recommendations General Takeaways There is not a “one size fits all” solution for cloud services There are existing certifications and requirements that need to be leveraged where possible (described on the following slide) Enterprise Cloud customers should leverage the newly evolving CSA Open Certification Framework to enhance the cloud vendor selection process. Multi-layered structure – based on customer needs Three levels (tiers) defined within the CSA Open Certification Framework (OCF)
  31. Certification & Auditing: Recommendations
  32. Certification & Auditing: Recommendations
  33. Conclusions and Next Steps The future impact of cloud computing cannot be overstated Rapidly progressing and evolving with considerable complexity Cloud Security and Cloud Resiliency have significant bearing on the economic viability of the country and the safety of our citizens The FCC is wise to consider implications of cloud computing but (as always) must strike the balance of how it acts Cloud provides accessible/affordable professional services for entities with limited (private) means – the rising tide. Because of newness and significant leverage of the paradigm, the stakes are much higher overall for failures and missteps (e.g., EU considers cloud CI) Future Suggested Activities (e.g., TAC 2014) Expand the analysis to include Cloud Resilience, Availability and Performance Focus additional security analysis around Critical Infrastructure usages of Cloud Help the FCC create alliances and joint forums with industry / government partners
More Related